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MEMORANDUM FOR 

VIA 

FROM 

SUBJECT 


Chief, Audit Staff 
Inspector General 



j opp 


.r> 


Acting director of Personnel 


DD/P^l 


Action Taken on Report of Audit Appraisal, 
Human Resources System 



f 0/v/oDpp^i 

1 *>v *}) ' 


1. I have, reviewed the Report of Audit Appraisal, Human 
Resources System (HRS) of 31 March 1981. The HRS represents 
the development of a complex computer system and since its 
acceptance and activation in March of 1980, it has been used 
successfully, proving to be an accurate integrated centralized 
personnel information system responsive to Agency management 
requirements. The scope of the audit and the several findings 
are reasonable, constructive, and acceptable. 


2, Our actions and responses to the audit comments and 
recommendations are keyed to the report. 

Recommendation jML : Formally designate a data base 
manager for the HRS and give him final approval 
authority for all changes to the HRS, 


The Chief, Information Division is designated as the Data 
Base Manager of the HRS with responsibility for changes, 
interfaces, and access to the HRS. (Mote- Chief, ID was not 
interviewed during the audit, ) Supplementing this designation 
is the alignment and utilization of Chief, Automated Data 
Resources Branch (ADRB) as the, Technical Data Base Manager, 
participating in the development and servicing of the data 
structure relevant to the software, testings, and system 
program implementation. This combination is a satisfactory 
and practical arrangement since Chief, Information Division, 
as DBM, confers and consults daily with Chief, ADRB and Chief, 
Information and Analysis Branch (TAB) for purposes of discussing „ 
system applications , changes, controls, requirements, and 
resolution of problems. Chief, ID, by. this routine, is fully 
cognizant of HRS activity with complete confidence in actions 
' proposed and taken by C/ADRB and C/IAB. However, in furtherance 
of the audit recommendation, all requests for changes to the 
HRS (workorders) will be approved and signed by Chief, ID as 
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DBM, after impact assessment with C/ADRB. and C/IAB, as appropriate. 
In the absence of C/ID, the C/ADRB, as Technical DBM, will insure 
system continuity and IAB compatibility for HRS modifications, 
and sign workorders as needed. 

Recommendation #2 : Document in writing ADRB’s testing 
and approval of software changes. The documentation 
should include as a minimum: the name of the individual 
testing the changes, the results obtained, the date of 
the test, the date of the approval, and the signature 
of the individual approving implementation of the change. 

Hard copy backup of testing information is maintained 
by ADRB and contains the documentation noted in Recommendation 
#2, but only a verbal approval to execute the change was given 
to ODP, This procedure has been changed to conform to the audit 
recommendation with ADRB giving ODP written approval for 
implementing software changes. 

Recommendation #3 : Require prior written approval 
from the t)BM or other designated individuals for 
changes to the Common Validation Dictionaries, 

Changes to COMVAD are controlled very closely with review 
and assessment of the requested change (s) by C/ADRB. All 
requests are documented by ADRB and retained indefinitely 
CCOMVAD audits are held for at least one year) . Changes to 
jCOMVAD will be made only after C/ADRB or the DBM has placed 
signed approval on the documented request. 

Re c omme n dation #4 : Request the ODP to modify the HRS 

- — so that security' violation notices reject the transaction 
at time of entry- and such notices are recorded for 
subsequent review and appropriate follow-up. 

ODP Production Division has been requested, 'by memorandum 
"to have the system reject improper requests for data and to 
send daily listing of all security code violations issued by 
HRS~2 to ADRB for review and follow-up as appropriate, (Copy 
attache dl. 

Recommendation #5 : Periodically review the access 
list and update as required. 

Operators on HRS data base have been reviewed; adds, 

"changes, and deletes have been made to align the data base, 
and signed user authorization lists have been sent to each 
-branch having HRS-2 users. A quarterly review will be made to 
keep the lists current. 
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Recommendation #6 (For ODP) : Follow established 
procedures to ensure that backup copies of HRS 
files are stored offsite in a timely manner. 

ODP Production Division has been requested, by 
memorandum, to conform with this recommendation. (Copy attached). 

Recommendation # 7: Determine whether MINI-GAP can 
be used in lieu of manual posting of Service Record 
Cards . 

Although the Mini-GAP program contains data which is 
applicable to Service Record Cards (SCR/SF-7) purposes, it. 
is data only from July 1975 forward. Moreover, configuration 
pf the Mini-GAP file is not conducive (cost effective) to 
automated production of the SRC. Automated production of the 
SRC was planned as a component and function of the General 
Archives Program (GAPi -- a storage and retrieval system of 
history and personnel information from 1968 forward. Time 
and resource impasses necessitated the suspension of GAP. 
development. However, its- completion and applications, including 
elimination of manual posting of the SRC, remain objectives which 
regrettably, at this time, are overtaken by higher priority 
commitments-. 

Comment to Para 14 : 

Security has- been tested and installed on the race and 
handicap codes and the true name values on the production data 
base. These codes/values have been protected previously but 
they' are now available to fewer system users, 

3, The appraisal was helpful and balanced, and I am 
appreciative of the efforts and consideration extended by the 
auditors. 
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MEMORANDUM FOR: 


FROM 


SUBJECT 


ne± , Production Division , ODP 


Chief, Information Division, OP 

Compliance with the Audit of the Human 
Resources System 


1. The audit performed on the Human Resources System, 
(HRS) by the Information System Audit Division/Audit Staff, 
surfaced two areas of weakness in the overall strength of 
the HRS production environment. This memorandum will 
formalize Office of Personnel request to strengthen these 
areas : 

A. No record or notice of security violations 
is printed by the system. Improper requests 
for data from the HRS are not reported to the 
DBM or other appropriate officials. 

REQUESTED ACTION: 


The system generates "Security Code Violation" to users 
who exceed their authority to extract or update information 
on the HRS. The security violation notices should reject 
the^ transaction at the time of entry and I would like to obtain 
a listing on a daily basis of all security code violations 
issued by HRS2. The listing will be picked up the following 
morning and reviewed by OP/ADRB along with their' review of 
the database statistics. 

B. Procedures for safeguarding the HRS data file 
have not been followed by ODP. 

REQUESTED ACTION: 


— — —QDP -should- follow established procedures to insure that 

backup copies of HRS files are stored offsite in a timely manner. 

Copies of HRS data files are created every night; a copy of 

the cutoff date tapes are stored at GC-4 7 in cas e GS-03 
: is damaged; and, monthly tapes are sent | I would like 

'* tcTb e ” as s' ur eel ~ th a t the p rocedures - “will be to l JLowe d 
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2. The audit found that the HRS operates efficiently an 
is generally satisfying the needs of its users. Additionally 
the personnel involved with the operation of the HRS were 
performing their assigned task in an effective manner. The 
service and fine performance of your Division certainly are a 
contribution to this effort and our accomplishments. Your 
assistance and support is greatly appreciated. 



2 


Approved For Release 2003/12/03 : CIA-RDP84-00933R0001 00290006-6 

C0NFIDFNTIAI 




